Privilege Escalation · Learn

Linux privilege escalation.

On Linux, the goal is root. Attackers get there through SUID binaries, weak sudo rules, dangerous capabilities, writable cron jobs, PATH tricks, and unpatched kernels. Here is the plain-language map of how Linux privilege escalation works and how to enumerate for it.

Privilege Escalation · LearnAll services
TL;DR

Linux privilege escalation is the set of techniques an attacker uses to go from a normal user to root. The common paths are SUID/SGID binaries, misconfigured sudo rules, dangerous Linux capabilities, writable or attacker-controlled cron jobs, PATH hijacking, exposed credentials, and kernel exploits. It is mostly an enumeration problem: list the system carefully, find the one misconfiguration that grants root, and use it. Resources like GTFOBins map which standard binaries can be turned into an escalation.

By John Dill, Red Team Lead, SecureLayer7Updated

The goal: become root

On Linux the superuser is root (UID 0), and root can do anything. An attacker with a normal shell wants to become root so they can read every file (including /etc/shadow), install persistence, and harvest credentials.

They rarely need a single exotic exploit. They need one of many possible misconfigurations to line up.

The common escalation paths

The recurring Linux privesc vectors, each with its own page:

  • SUID/SGID binaries: programs that run as their owner (often root). Details.
  • sudo misconfiguration: over-broad or NOPASSWD rules. Details.
  • Linux capabilities: fine-grained root powers on a binary. Details.
  • Cron jobs: scheduled tasks running as root that trust writable scripts. Details.
  • PATH hijacking: a privileged program calling a binary by name. Details.
  • Kernel exploits: an unpatched kernel with a public exploit. Details.
  • Writable /etc/passwd: adding your own root user. Details.

Enumeration: where it starts

Every Linux escalation starts with enumeration. A few of the first commands an attacker (or tester) runs:

  • id and sudo -l to see current rights and sudo permissions
  • find / -perm -4000 -type f 2>/dev/null to list SUID binaries
  • getcap -r / 2>/dev/null to list capabilities
  • uname -a to check the kernel version
  • inspect /etc/crontab and writable files

The PEAS script linpeas automates this sweep. The skill is reading the output and recognising which finding actually leads to root.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: setuid(2)(man7.org)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.